MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
SHA3-384 hash: 970cd778ec9a854d74a1952a77aa948bc44f138c44e9822ce1ec186c96c805a40786eb1cac2d3cab6aa35c57a63b7e60
SHA1 hash: 82c340ac9d9b6d2ae685975de48d362b7185c4a8
MD5 hash: 7ebb0431ce9219a584997a26142c4398
humanhash: six-spring-ceiling-monkey
File name:951049989EB772C71EC4FA9F0685AB45CAE755CA5D34C.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:7'610'171 bytes
First seen:2021-11-10 02:50:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JKIFx5K63KRQRCmKx+lLZ2A/FzS0Spb1R1NNd:J/FLKZRQR6CLg+FzS0ybn1t
TLSH T1FE763320A4E2AA07FDCDD83529E1E8446381EFE32956E9C4D6F1FC4933590A9D746BC3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
45.144.31.193:5785

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.31.193:5785 https://threatfox.abuse.ch/ioc/246310/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204583/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901386-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/618b3398175442ca93a9ff15/reports/13cf927e-fea8-4c3e-bc5f-042b1513f1cd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8e0866c-9b20-4495-893c-980ad2358bbf
Result
Threat name:
Backstage Stealer FormBook RedLine Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886428
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518896 Sample: 951049989EB772C71EC4FA9F068... Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 85 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->85 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for URL or domain 2->117 119 Antivirus detection for dropped file 2->119 121 21 other signatures 2->121 11 951049989EB772C71EC4FA9F0685AB45CAE755CA5D34C.exe 10 2->11         started        14 WmiPrvSE.exe 2->14         started        signatures3 process4 file5 71 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->71 dropped 16 setup_installer.exe 21 11->16         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 16->51 dropped 53 C:\Users\user\...\Mon11fbe0c8a7f0b4a47.exe, PE32 16->53 dropped 55 C:\Users\user\AppData\...\Mon11f8437179.exe, PE32 16->55 dropped 57 16 other files (11 malicious) 16->57 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 87 127.0.0.1 unknown unknown 19->87 123 Adds a directory exclusion to Windows Defender 19->123 23 cmd.exe 1 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 1 19->27         started        29 12 other processes 19->29 signatures10 process11 signatures12 32 Mon1171bdf4053512.exe 4 73 23->32         started        37 Mon11e73d87d47b7.exe 25->37         started        39 Mon1182b0194f4f89e7.exe 27->39         started        125 Adds a directory exclusion to Windows Defender 29->125 41 Mon112667aa79a82a20.exe 29->41         started        43 Mon11b2a87bc5ae6.exe 1 29->43         started        45 Mon11b50c6fefd69011.exe 29->45         started        47 8 other processes 29->47 process13 dnsIp14 73 45.142.182.152 XSSERVERNL Germany 32->73 75 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 32->75 81 14 other IPs or domains 32->81 59 C:\Users\...\VwgwgbcA27ovlTcwpU5MhSpD.exe, PE32 32->59 dropped 61 C:\Users\...\519Qx5MJmyVxytzgI__tQnAg.exe, PE32 32->61 dropped 63 C:\Users\user\AppData\Local\...\lyl01[1].exe, PE32 32->63 dropped 69 33 other files (11 malicious) 32->69 dropped 89 Antivirus detection for dropped file 32->89 91 Creates HTML files with .exe extension (expired dropper behavior) 32->91 93 Machine Learning detection for dropped file 32->93 95 Disable Windows Defender real time protection (registry) 32->95 97 Query firmware table information (likely to detect VMs) 37->97 99 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->99 109 2 other signatures 37->109 111 3 other signatures 39->111 113 2 other signatures 41->113 101 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->101 65 C:\Users\user\...\Mon11b50c6fefd69011.tmp, PE32 45->65 dropped 103 Obfuscated command line found 45->103 77 208.95.112.1 TUT-ASUS United States 47->77 79 88.99.66.31 HETZNER-ASDE Germany 47->79 83 6 other IPs or domains 47->83 67 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->67 dropped 105 Tries to harvest and steal browser information (history, passwords, etc) 47->105 107 Creates processes via WMI 47->107 49 mshta.exe 47->49         started        file15 signatures16 process17
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 03:03:56 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=suietge6w5zmohwe7kpqnbnlixfoovoklu2m6mej7v4rtgp27ioa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:ani botnet:jamesoldd aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211110-db6lnadcfr/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
45.142.215.47:27643
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
c43c4ba2b6d7fa8f979f91077b21e57a75b2dc7794efb6f901f39e481d878448
MD5 hash:
52da452865e606e10398d997ff4d34ca
SHA1 hash:
f4b750d6212e38081f33b02e93b2586dfcbcac17
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
3d43af5691f1faf776f48dae2c726bf71a39c3b185ba91a68aee535ca64d297e
MD5 hash:
19dfc7239c15abb97e3dd3e7145ce7a4
SHA1 hash:
bb0f61b7c22c4dc2e4de778f8d452f8ef54b8fd3
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
475ccb182c0fa0d87c752b60deff09c9e144dfbc6488f5379225039d0f03828e
MD5 hash:
7566c1430d7a37a56bf3bfb458d54390
SHA1 hash:
990c4c4faf20ac9a4dba1cde3f40e9ad0a4692b9
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
259e0d662f388c659dc3e2bfecfd3126d9c2f536068b0f4e1ba489554f227a9c
MD5 hash:
21f2fd31d18816e1990ae1db615605d0
SHA1 hash:
8dc30a01b93fa2cfc714100fa5f6b5f44de76f5a
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
82114fa979bdf8f7c777fa8ffae0e3d1fbe7de86709f2f449a32880da264a0af
MD5 hash:
3633dd586081adc476ce5ef9c103f382
SHA1 hash:
827373e1c2a60e43e45b76e74a44840b9170de54
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
e1f83cd727f92af27da611c4c17cd9100a7d0ce13a48eca945e18f09e2182f82
MD5 hash:
ad203f3463d90387bc0ca93751b2c55b
SHA1 hash:
435342d5afdc34c215a4d3103e544cb07ebe0efb
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
b17556e0701ba790d74827a85c7632bc6e621aae6eac300ab7c4f47e677d4dc6
MD5 hash:
4de7b53cf359da4230b3ffb88bbd7725
SHA1 hash:
40591c50a302156c49ee1afd70e917d50a29f9a9
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
9f04dccffc46ef617c2bcd4911c2b92bde4aac2681dc85123941233688917d8b
MD5 hash:
3390aeea9ea7b60c49cbced8e7ebde48
SHA1 hash:
cb89aee24f671ed2b3e0ec27874c387f08a4b1ff
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
16c4cecd45bda52cfe30172588d8bfad20e98d4067ac8dbb10a88743e34bb483
MD5 hash:
8d85c9c9ac13c82f18f3497312174fd3
SHA1 hash:
f3086522070bfc5bd1c3b647561e2f92b64ca8fa
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
96a748e2c73a0580a57c565a9aa87d2910ec7be34be2af5627823b2ec72e051e
MD5 hash:
251a77dc0e9f46386f1e667449c2b1ad
SHA1 hash:
e6e7793d0099f43440bfb6cc237c33a8482c8dd0
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
200ae92f05276111887af5bb202bc0119023113c3c928b480518ab8022864b3e
MD5 hash:
57bd1a1187c67183a8977cdcd6d3bc9f
SHA1 hash:
35d1fd00977154a1b6b69226b7b39d004e627b7c
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
e7fe235cf662d8198d7ce5b5db35fca1893db97114cb4cc720e81c83732e985a
MD5 hash:
0d657cd90644e4f6aa954c2ecdbb0dbf
SHA1 hash:
3973ee29660273647a9c7d8701b03d6df302d2af
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
SH256 hash:
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
MD5 hash:
7ebb0431ce9219a584997a26142c4398
SHA1 hash:
82c340ac9d9b6d2ae685975de48d362b7185c4a8
Link:
https://www.unpac.me/results/4c8e1c82-ebef-41e6-bd6f-f7975709d319/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/951049989eb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204583/

Comments